What's the right way to save HTML in database?

Well if you're using one of those editors, you need to save it as is. You then display it either with entities/escape it if you don't want it to be displayed as rending HTML. Be aware that they can input any HTML/JS etc in this case...

So what's the alternative? How do I stop users from vandalizing my app like

<script>alert("Hello World");</script>

You might want to run the input through HTMLPurifier before saving to the database.

https://github.com/mewebstudio/Purifier

It will allow only certain tags in your html, stripping out any nasty things like javascript.

You could use it on the output instead, but that's overhead you can do without on every page view.

@sitesense

Thanks!, I'm going to try it now.

Yeah as sitesense said, use something like that. Just depends who's adding the content in, if it's a client's website you'd probably want to allow most stuff but disallow things that could break the website (flash etc)

( posting as note to remember this )

@andy You can favorite the thread by pressing the star at the top of the thread ;)

@andy Please do... replying just for that is silly :)

@bobbybouwmann @bashy I saw the email checkbox but didn't see that star ... Thanks guys!

Sorry to dig up this old thread. But I was just wondering what place makes the most sense to put the code? Would I add this to a

setNameAttribute($value) {
    return Purifier::clean( $value );
}

Or would I add it in my controller right before I call the save method?

[And I'm digging up this old thread some more :p] @Pendo I plan on putting in the boot method of my model - see "Model Events": https://laravel.com/docs/5.2/eloquent#events

    protected static function boot()
    {
        parent::boot();

        static::updating(function(Note $note) {
            $note->notes = clean($note->notes);
        });
    }

Thanks, at least that's an answer after 4 months, haha!